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01 October 2021 
Dear Sirs 


RE: Draft Regional Policy on the Use of Restrictive Practices in 
Health and Social Care Settings and Regional Operational 
Procedure for the Use of Seclusion 


Thank you for inviting the Information Commissioner’s Office (ICO) to 
respond to the above Consultation. 


As you will be aware, the Information Commissioner's role includes the 
regulation of the Data Protection Act 2018 (DPA18), the UK General Data 
Protection Regulation (UK GDPR) and the Freedom of Information Act 
2000. Given our role as an independent Regulator, it would not be 
appropriate for us to respond in detail to the practical application of the 
draft regional policy outlined in the consultation document. 


However, we acknowledge the importance of fair and transparent policies 
and procedures within the health and social care sector and its 
Subsequent impact on public trust and confidence. To maintain this trust 
and confidence, any such processing of personal data must be in 
accordance with data protection legislation. With respect to this, we have 
provided general comments for your consideration below. 


Use of personal data within reporting 

The consultation makes reference to the importance of clear recording, 
reporting, monitoring and governance arrangements to support the 
implementation of the regional policy. Where the reported data contains 
information that could be used to identify an individual directly, or 
indirectly, such processing will fall under the UK GDPR. Only if the data is 
truly anonymised will data protection legislation not apply. 
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If the data used within reporting is determined to be personal data, the 
relevant data controller will need to adhere fully to UK data protection 
law. 


In particular, consideration should be given to ensuring compliance with 
Article 5(1)(c) which outlines the data minimisation principle. It is 
important for organisation’s not to process more information than is 
required to achieve the purpose of the processing. The ICO acknowledges 
section 10.5 of the consultation which states that an appointed Health and 
Social Care Board (HSCB) Director will be responsible for agreeing the 
detail of data to be collected for reporting purposes. The HSCB Director 
may wish to engage with the HSC Data Protection Officer to ensure 
compliance with all data protection law and principles. 


CCTV 
Sections 11.59 and 11.96 outline the use of CCTV in observing patients 
within seclusion rooms. 


As per ICO guidance, CCTV should not typically be used in areas or rooms 
where individuals receive personal care or where they could reasonably 
expect relative privacy. This is likely to include areas such as bedrooms, 
treatments rooms and bathrooms/sanitary accommodation. 


Any positive determination on the use of CCTV in spaces where 
individuals could reasonably expect privacy, must be supported by a 
strong justification for doing so. The data controller should be in a 
position to outline the necessity, fairness and proportionality of any such 
decision. This should be evidenced in the form of a Data Protection 
Impact Assessment (DPIA). 


The DPIA should include the lawful basis for processing, noting that in a 
healthcare setting this will most likely include the processing of special 
category data and therefore the requirement for a separate condition for 
the processing under Article 9. The purpose of the processing, and a 
fulsome consideration of the risks and any potential harm that may be 
incurred by an individual from the recording should also be documented. 
A DPIA should also acknowledge the potential intrusiveness of such 
recording and clearly clarify how the live or recorded footage will be used. 
Further guidance on DPIAs can be found here on our website. 


In addition to the above, the Department should consider and outline how 
the proposed processing meets the seven key principles under the UK 
GDPR, including, but not limited to the retention and security of the 
footage, as well as address how the rights of the individual are being met. 
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This should include the rights of anyone captured on the footage, 
including HSC staff and patients. In particular, you should consider how 
the right of access will be exercised and how an individual’s right to be 
informed is communicated. This will typically require signs that outline if 
video and/or audio recording is taking place within a certain space. 
Particular care should be taken to ensure that the information you provide 
iS appropriately written, using clear and plain language and suitable for 
the intended audience. 


The Department may wish to consider considering the guidance issued by 
the Surveillance Camera Commissioner. 


Data sharing between organisations 

The ICO acknowledges the multitude of organisations involved in 
delivering a health and social care service across Northern Ireland and the 
requirement to share personal data to deliver a high standard of care. The 
consultation outlines a number of agencies beyond the HSC that data may 
be shared with. It is important to note that UK data protection law does 
not prohibit the sharing of personal data between organisations. However 
you may wish to consult the ICO’s Data Sharing Code of Practice to 
ensure compliance with data protection law prior to undertaking multi 
disciplinary data sharing. 


Data sharing with next of kin/significant others 

It is apparent that section 11.49 of the consultation recommends that 
next of kin/significant others should be informed in a timely manner of 
the necessity for seclusion. It is important to ensure that the disclosure of 
personal data to an individual’s next of kin is undertaken in a manner that 
is compliant with UK data protection law and existing policies and 
procedures on disclosure. 


Staff Training 

Encouragingly, the consultation paper makes multiple references to staff 
training. Given the potential scope for personal data processing, the use 
of CCTV and the sharing off personal information, consideration should be 
given to ensuring that staff members are provided with practical data 
protection training that is specific to their role. Such training should be 
refreshed on a regular basis. 

In addition, it will be important that supporting guidance accompanies this 
policy and regional procedure prior to it being made operational. This will 
help staff within Health and Social Care settings to understand not only 
how to implement it, but importantly the data protection implications for 
them. 
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To conclude, while the ICO cannot endorse the implementation of the 
draft regional policy, we take this opportunity to stress the importance of 
incorporating appropriate systems to ensure compliance with data 
protection legislation. You may find it helpful to consult our website and in 
particular the information that is contained within the Guide to the UK 
GDPR. 


We hope you find the above comments helpful as you move forward with 
your proposals. Please do not hesitate to contact our office should you 
wish to discuss this further. 
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